Towards Understanding IT Security Professionals and Their Tools

David Botta ; Rodrigo Werlinger ; André Gagné ; Konstantin Beznosov ; Sid Fels ; Lee Iverson ; Brian Fisher

20 June 2007

Abstract: It is estimated that organizations worldwide will spend around $100 Billion USD on IT Security in 2007. A notable size of this will be spent on tools but little is known how effective IT security tools, and what works and what does not. "Human, Organization, and Technology Centred Improvement of the IT Security Administration" (HOT Admin for short) is a three year long research project funded by the Canadian government and headed by Konstantin Beznosov at the University of British Columbia. It aims to investigate methodologies and techniques for evaluating and developing better tools for managing IT security in organizations. The project is in its first stage, which is a field study of IT professionals who are involved in security management. In conducting 14 interviews with IT professionals from 5 different organizations, we focused on the interactions of technological, organizational, and human factors. Our results suggest that the job of IT security management is distributed across multiple employees, often affiliated with different organizational units or groups within a unit and responsible for different aspects of it. Our participants had to meet three disjoint responsibilities: design, response, and maintenance of IT security systems. To meet these responsibilities, security practitioners had to perform several tasks, such as: monitor systems, verify notifications, correlate different sources of information, and report. Three skills stand out as significant to perform the tasks: inferential analysis, pattern recognition, and bricolage. In this presentation we will report our preliminary findings. We will discuss the similarities found across the organizations in the areas of the organization structure, the responsibilities of a practitioner, the skills needed. We will also discuss what our participants liked and did not like about their tools and possible directions for improving security tools.

Keyword(s): HOT Admin ; Field Study ; Usable Security ; IT Security Management

Published in: David Botta, Rodrigo Werlinger, André Gagné, Konstantin Beznosov, Sid Fels, Lee Iverson, Brian Fisher, "Towards Understanding IT Security Professionals and Their Tools," CIPS Vancouver Security SIG Meeting, Vancouver, 13 June, 2007, pp.20.:

The record appears in these collections:
Usable Security

 Record created 2009-04-27, last modified 2013-05-22

Transfer from CDS 0.99.7:
Download fulltext

Rate this document:

Rate this document:
(Not yet reviewed)